Posts

Risk Reduction: #1 Concern of Bank Boards

The Bank Director’s 2014 Risk Practices Survey reveals some very interesting information about the risk management programs that bank boards have in place.

11DIt’s classically challenging for many banks to assess how risk management practices affect the institution. However, banks that have worked at measuring the impact of a risk management program report favorable outcomes on financial performance.

Survey Findings

  • 97 percent of the respondents reported the bank has a chief risk officer in place or equivalent.
  • 63 percent said that a separate risk committee on the board oversaw risks.
  • 64 percent of banks that have the separate risk committee reported that the bank’s strategic plan plus risk mitigation strategies got reviewed; the other 36 percent weren’t doing this.
  • 30 percent of the respondents believed that the bank’s risk appetite statement encompasses all potential risks.
  • Of this 30 percent, less than half actually use it to supply limits to the board and management.
  • The survey found that the risk appetite statement, risk dashboard and the enterprise risk assessment tools aren’t getting fully used.
  • And only 30 percent analyze their bank’s risk appetite statement’s impact on financial execution.
  • 17 percent go over the bank’s risk profile monthly at the board and executive level, and about 50 percent review such only quarterly; 23 percent twice or once per year.
  • 57 percent of directors believe the board can benefit from more training in the area of new regulations’ impact and possible risk to the bank.
  • 53 percent want more understanding of newer risks like cyber security issues.
  • Senior execs want the board to have more training in overseeing the risk appetite and related issues.
  • 55 percent believe that the pace and volume of regulatory change are the biggest factors in leading to risk evaluation failures.
  • Maintenance of data infrastructure and technology to support risk decision making is a leading risk management challenge, say over 50 percent of responding bank officers, and 40 percent of survey participants overall.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

15 Tips to Prepare for Big and Small Security Threats

Businesses that focus on the big security breach may very well be missing the smaller threats that can do serious damage.

4HA human can easily kill a gnat. So how is it that just one gnat can drive you crazy, even though you can kill it in an instant? You are bigger and mightier … yet one gnat can get the best of you. That’s because you’re too big for the gnat, as it buzzes around your eyes, nose and in your hair.

This is just like when businesses implement giant measures to enhance security and protect themselves against big threats like hacking, or natural disasters like a tornado. The business feels mighty with its extensive video surveillance, steel bolt doors and armed security guards. Yet, it’s unable to foresee or handle the small stuff that can have dire consequences.

Some businesses make the mistake of focusing on only a handful of tactics and, as a result, other threats slip in undetected, or if detected, they’re not detected enough to be mitigated. Instead, all the business leaders can do is swat haphazardly, hoping to get a hit.

When businesses zoom in on only a few specific tactics, this results in a rigid plan that can’t adapt, and is useful only if the anticipated threat is precisely how it was envisioned in the first place. Concentrating on just a few selected risks means not seeing the bigger picture—missing greater risks that can come along.

Of course, you can’t possibly anticipate every possible threat. But preparing for just a few isn’t smart, either. What’s a business leader to do? Follow this list to prepare smarter.

Emergency Plan of Action

  1. Make sure all security and continuity plans are adaptable.
  2. Consider the human component, and work it in to the plan. Can IT’s brilliant plan be sustained by a person? Are facilities manned by one person or a team? .
  3. Cover all basics and implement regular updates.
  4. Don’t get sucker punched. Consider a variety of threats (from cyber sources to natural sources), not just a few, and the various ways your organization can respond and resolve.
  5. Be aware. Figure out backup locations for your business to function should you be forced to displace.
  6. Prepare staff. Designate a core team and keep their contact information handy so anyone can reach them anywhere.
  7. Communicate. Design an emergency communications protocol for employees, vendors and customers, etc., for the days post-disaster. Confirm emergency response plans with your vendors and suppliers, and prepare to use alternate vendors.
  8. Keep your data backup tools in excellent condition.
  9. Keep your inventory of assets up to date.
  10. Safely and efficiently store documents. Duplicates of all crucial documents should be kept off-site.
  11. Routinely make data backups, ideally both locally and with a cloud service.
  12. Determine succession of management in case key players can no longer function.
  13. Know the signs of a dying computer. A blue screen can mean a hardware problem or driver conflict. If things are taking way too long, there may be too much software … or a failing hard drive. Strange noises during startup, for instance, can also mean a hardware failure. Consider it your warning.
  14. Set up your backups. You can set up backup protocols with a program like Belarc Advisor, which is free and lets you know what to install and when it’s time to replace a computer.
  15. You may want to consider replacing your computer every two or three years to avoid being stiffed by a computer that’s suddenly gone stiff. Nothing’s more alarming than suddenly losing all your data, and there’s no backup computer that you can just turn on and pick up where you left off.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Top Security Techniques That Work For The Masters

Banks know security just about better than anyone. Find out what they can teach you about safeguarding your small business.

8DSecurity is a journey, not a destination. This is a security industry axiom that means we can strive for security, and by making this effort, we can put ourselves on a path to security. But while we may achieve a relative degree of security, our businesses will never be 100 percent secure—the destination we all strive for. Even Fort Knox, the White House and the New York Stock Exchange are vulnerable.

But that doesn’t mean we shouldn’t strive to reach our destination. In order to protect our businesses, we can apply strategies that significantly reduce our risk level. One of the best security techniques is layering. Layers of security make a criminal’s job more difficult, as they are forced to address all the vulnerabilities in our business.

Helen Keller once said, “Security is an illusion; life is either a daring adventure or nothing at all.” Her quote has significance, although it’s not entirely accurate. That’s because security is part illusion and part theater. The illusion, like a magic act, seems believable in many cases.

Security theater, on the other hand, refers to security intended to provide a sense of security while not entirely improving it. The theater gives the illusion of impact. Both play a role in deterring criminals, but neither can provide 100 percent security, as complete security is unattainable. Hence, security is a journey, not a destination.

Banks know security, both the illusion and the theater. They have to, because robbers target these buildings daily. Because banks want to promote a friendly and inviting environment, consumers are mostly oblivious to the various layers of security that financial institutions utilize to protect their bank accounts. And that’s not a bad model to follow.

What Banks Know About Security

Banks have multiple layers of security. The perimeter of most banks are often designed to include large windows, so passersby and law enforcement can easily see any problems occurring inside. The bank’s doors also have locks. There is, of course, an alarm system, which includes panic buttons, glass-break detectors and motion sensors. These are all layers, as are the security cameras, bulletproof glass and armed guards. Ideally, the tellers and members of management should have robbery-response training. Many banks also use dye packs or GPS devices to track stolen cash.

All banks have safes, because banks know that a well-constructed safe is the ultimate layer of security. A safe not only makes it extremely difficult for a bank robber to steal the bank’s money, but it also protects the cash in the event of a fire.

And then there are the multiple layers of computer security. The basics include antivirus, antispyware, antiphishing and firewalls. However, there are numerous additional layers of protection that monitor who is accessing data and why, and numerous detectors that look for red flags which indicate possible identity theft.

Banks also recognize that a simple username/password is insufficient, so they require their clients to adopt multifactor authentication. Multifactor authentication is generally something the user knows, such as a password or answers to knowledge-based questions, plus something the user has, such as a smart card, token or additional SMS password, and/or something the user is, such as identification through a biometric fingerprint, facial recognition, hand geometry or iris scan. In its simplest forms, multifactor authentication occurs when a website asks for a four-digit security code from a credit card or installs a cookie on your machine, or when a bank requires a client to add a second password to his or her account. Some institutions also offer or require a key fob that provides a changeable second password (a one-time password) to access accounts, or it might require a reply to a text message in order to approve a transaction.

Every layer of protection the bank adds is designed to make it harder for a criminal to get paid.

Consider a layered approach for your small-business security plan. Think about the current layers of business protection you have in place, and then consider how many more layers you might want to install to ensure a seamless customer experience and a security-minded culture.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Evaluating Physical and Information Security Risks

When it comes to protecting an organization’s information, flaws with this can involve either implementing strong technology to protect too much trivial data, or inadequate protection of important and sensitive data.

7WIn short, not enough attention is cast upon a company’s most important information; there’s a gap between the IT department and the operational units of the business.

A thorough risk assessment is warranted in these cases. Once all the risks are identified, strategies can be created by personnel to prioritize risk minimization. This is risk management.

Risk has several components: assets, threats and weaknesses. Businesses must address (risk-assess) all components—internally, rather than externally by outsourcing.

A risk assessment identifies all potential risks, then analyzes what might happen in the event of a hazard.

A BIA (business impact analysis) is the process by which potential impacts are determined that result from the impediment of critical business activities. With a BIA, the results of disrupted business processes (which can include losses or delayed deliveries, among many others) are predicted; information is collected to come up with recovery strategies.

The objective is to maximize cost/benefit: identify the most relevant risks and reduce them with minimal investment.

The strategy is to determine what risks this company may face in a given year (e.g., digitized information, reputation, paper documents, employee safety).

Next is to formulate a list of possible sources of threats (employees, hackers, customers and competitors, to name some) based on the experiences of many in the organization. There are also risk assessment plan guidelines online.

Then next is a risk assessment chart. A list of assets must be compiled (e.g., employees, machinery/equipment, IT, raw materials, etc.) in a left column. Then opposite each asset, put down its associated hazards that could yield an impact. Each hazard is broken down into high probability-low impact and low probability-high impact.

Review the impacts for vulnerabilities that may make the asset prone to a loss. Here you’ll find opportunities for threat prevention or mitigation. Probability of occurrence can be specified with L for low, M for medium, H for high.

Information from the BIA would go towards rating the impact on “Operations.” Make an “entity” column for estimations of potential impacts (e.g., financial, brand/reputation, contractual). “Overall Hazard Rating” combines “probability of occurrence” and the highest scoring that impacts operations, employees, property, etc.

A worst case scenario? Do nothing. After all, a failure to plan is a planned failure.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.